macoskernelanti-cheat

Preventing from accessing process memory


I made an example that writes into process memory using task_for_pid() and mach_vm_write().

task_for_pid(mach_task_self(), pid, &target_task);
mach_vm_write(target_task, address, '?', local_size);

Is there a way to block to access memory of the specific process from another processes like cheat engine on OS X.

How do I prevent another process from calling task_for_pid?

Not that many others come to mind except hooking.


Solution

  • In OS X, the calls to task_for_pid are regulated by taskgated. Basically, unless it's your task , or you're root (or, in older systems, member of procview group), you won't get that elusive task port. But if you are allowed, then you have the port, and can do basically anything you want.

    Hooking won't help, since task_for_pid is a mach trap - people can call it directly using the system call interface. iOS has much tighter controls on it (thanks to AppleMobileFileIntegrity.kext). If you want to control the trap, effectively the only way of doing so is writing a small kext to do the trick for you.